• Training & Courses
    • Configuration ​(210)
    • FireWall Hardening (214)
    • Troubleshooting (330)
    • Panorama (220)
    • Prisma Access ​(318)
    • Cortex XDR (260)
    • Lab Rental
  • Dates & Pricing
  • Consulting
    • Best Practice Audit
  • Best Practices
  • Testimonials
  • About Us
    • News
    • Brand
  • Contact
  • Training & Courses
    • Configuration ​(210)
    • FireWall Hardening (214)
    • Troubleshooting (330)
    • Panorama (220)
    • Prisma Access ​(318)
    • Cortex XDR (260)
    • Lab Rental
  • Dates & Pricing
  • Consulting
    • Best Practice Audit
  • Best Practices
  • Testimonials
  • About Us
    • News
    • Brand
  • Contact

FireWall Troubleshooting - Demystifying the Flow Logic

27/1/2021

1 Comment

 
​Introducing the "Firewall Troubleshooting" (EDU-330) course.

On Tuesday, 26th of January 2021, we run this training workshop for Palo Alto Networks. It gives a taste of the "Firewall Troubleshooting" (EDU-330) course by teaching a full module. 
Follow us on LinkedIn to hear when we run the next session or sign up to our FireWall Best Practices mailing list.
Firewall Troubleshooting (EDU-330) Course Logo

What you will learn

  • The value of the "Firewall Troubleshooting" (EDU-330) course - we will show you with some examples and use cases what you can learn in this course and how it can make your job easier
  • Troubleshooting Security Policy match - troubleshooting why a desired security policy does not match can be highly frustrating. We will show you the Tipps and Tricks to find out what's wrong.
  • Behind the scenes "The Flow Logic" - Did you ever wondered why certain traffic doesn't show up in the traffic logs? We will explain to you the underlying architecture of the Next-Generation FireWall and what happens to a packet when it is being processed.

​Need Help?

Contact us or give us a call +353 (1) 5241014 / +1 (650) 407-1995​ – ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.
Palo Alto Networks Certified Professional Services Partner Logo

Picture
This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
1 Comment

Cortex XDR - Incident Management

3/12/2020

0 Comments

 
Consigas' Technical Director, Lars Meyer, presented this deep dive training session on Cortex XDR Incident Management at Palo Alto Networks Ignite'20
Picture
Learn more about Cortex XDR by joining the official training "Cortex XDR: Prevention, Analysis, and Response" (EDU-260)
0 Comments

Firewall Hardening Best Practices for Palo Alto Networks

30/10/2020

6 Comments

 
Introducing the all-new "Improving Security Posture and Hardening PAN-OS Firewalls" (EDU-214) course.

On Tuesday, 27th of October 2020, we run this training workshop for Palo Alto Networks. It gives a taste of the new course by teaching a full module. Learn how to leverage the full potential of your Next-Generation FireWall by improving the security posture and harden PAN-OS.
  • Best Practices - we show you the real thing so that you learn something valuable as a takeaway, no marketing fluff
  • ​Content - BPA using Expedition Tool, Policy Optimizer, Application-centric rules, Categorizing traffic into flows
Picture
6 Comments

Security Best Practices Checklist for Palo Alto Networks Next-Generation FireWalls

6/7/2020

11 Comments

 

​Over 300 Best Practices to ​secure your network

Security Best Practices Checklist for Palo Alto Networks
​If implemented and managed correctly, the Palo Alto Networks Next-Generation FireWall is one of the few security solutions that can truly protect enterprises from modern cyber threats without negatively affecting their operation. We have put our over 10 years’ experience in working with Palo Alto Networks together and compiled this list of Best Practices to help you to secure your network by leveraging the full potential of your Palo Alto Networks Next-Generation FireWall. Besides our own, it incorporates security best practices recommended by Palo Alto Networks "BPA" as well as the Center for Internet Security "CIS Controls".

Need Help?

Contact us or give us a call +353 (1) 5241014 / +1 (650) 407-1995 - ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most important a piece of mind by truly securing your valuable IT assets.
Palo Alto Networks - Certified Professional Service Provider (CPSP)
security-best-practises-worksheet.xlsx
File Size: 656 kb
File Type: xlsx
Download File

url-filtering-categories-for-web-access-policy.xlsx
File Size: 24 kb
File Type: xlsx
Download File

Think this is useful ?
​We accept Testimonials and Comments as a Thank You

Picture
This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
11 Comments

Authenticating GlobalProtect and Prisma Access remote access users against Office365 Azure AD

28/6/2020

7 Comments

 
Update 29.06.2020 - Mitigate SAML Bypass Vulnerability without upgrade (CVE-2020-2021) - This video explains how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider starts at 29:35. With this configuration, there is no immediate need to upgrade the FireWall, although an upgrade should always be considered. It also fixes the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"

Being able to authenticate your GlobalProtect or Prisma Access remote workers against Office 365 is very convenient as it provides a seamless single sign-on experience to the user. Of course its great from a security point of view as well, because you can use the integrated dual factor authentication that comes with Office 365.
But of course in order to authenticate against Office 365 you cannot use classical protocols like LDAP or Radius, instead you need SAML. Luckily, both Microsoft and Palo Alto Networks have made the integration very simple, and in this video we will show you the configuration end-to-end with all the tips and tricks you need to know to make to work.

Palo Alto Networks Training - FireWall Best Practices | Want to learn more? Our Palo Alto Networks Courses teach you how to master the Next-Generation FireWall.

Update 30.6.2020 - at around 5:40 in the video I'm mentioning Microsoft's misleading example for using wildcards in the identifier URL. While wildcards are not supported in standard marketplace app, they can be used in the manifest file of the enterprise app. This is tremendously useful for usage on Prisma Access. Thanks to @Marc Barten for providing this information.

​Need Help?

Contact us or give us a call +353 (1) 5241014 / +1 (650) 407-1995 - ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.
Palo Alto Networks Certified Professional Services Partner

Powershell Script

With this powershell script you can add multiple identifier to the Azure AD Enterprise application as shown in the video.

Connect-AzureAD
$app = Get-AzureADApplication -SearchString "Your GP SAML App"
$ReplyURLS = New-Object System.Collections.Generic.List[string]
$Identifiers = New-Object System.Collections.Generic.List[string]
$ReplyURLS.add("https://portal1.customer.com:443/SAML20/SP/ACS")
$ReplyURLS.add("https://portal2.customer.com:443/SAML20/SP/ACS")
$ReplyURLS.add("https://gw1.customer.com:443/SAML20/SP/ACS")
$ReplyURLS.add("https://gw2.customer.com:443/SAML20/SP/ACS")
$identifiers.add("https://portal1.customer.com:443/SAML20/SP")
$identifiers.add("https://portal2.customer.com:443/SAML20/SP")
$identifiers.add("https://gw1.customer.com:443/SAML20/SP")
$identifiers.add("https://gw2.customer.com:443/SAML20/SP")
Set-AzureADApplication -ObjectId $app.ObjectId -ReplyUrls $ReplyURLS
Set-AzureADApplication -ObjectId $app.ObjectId -identifieruris $identifiers

Picture
This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
7 Comments

Policy based Forwarding "PBF" - Palo Alto Networks Training

25/1/2018

1 Comment

 
Getting a network to fail-over between the two Internet lines or even load balance traffic between them can be real challenge. In this Palo Alto Networks Training Video, we will show you how it can be done using policy based forwarding "PBF".
FireWall Concepts Training Series - over the next couple of weeks and months we will release new videos on core concepts, explaining the fundamental workings of the Next-Generation FireWall starting with the Threat Landscape, then deployment methods, NAT, App-ID, SSL Decryption, VPNs and many more. Follow us on LinkedIn, Twitter or YouTube to stay up-to-date.
 

Security Best Practices Training Videos

​Soon we will publish training videos explaining all of the Palo Alto Networks Security Best Practice in detail, sign-up to our mailing list and we will let you known once it is available, or follow us on LinkedIn, Twitter or YouTube to stay up-to-date.

​​Need Help?

Contact us or give us a call +353 (1) 5241014 - ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.
Palo Alto Networks Certified Professional Services Provider

Picture
This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
1 Comment

Virtual Router - Palo Alto Networks Training

22/1/2018

4 Comments

 
Fully separating traffic is easy with the Next-Generation FireWall. While with other vendors you might need dedicated virtual systems, with Palo Alto Networks just adding another virtual router is enough. In this Palo Alto Networks Training Video, we will show you the concept including inter VR routing.
FireWall Concepts Training Series - over the next couple of weeks and months we will release new videos on core concepts, explaining the fundamental workings of the Next-Generation FireWall starting with the Threat Landscape, then deployment methods, NAT, App-ID, SSL Decryption, VPNs and many more. Follow us on LinkedIn, Twitter or YouTube to stay up-to-date.
 

Security Best Practices Training Videos

Soon we will publish training videos explaining all of the Palo Alto Networks Security Best Practice in detail, sign-up to our mailing list and we will let you known once it is available, or follow us on LinkedIn, Twitter or YouTube to stay up-to-date.

​Need Help?

Contact us or give us a call +353 (1) 5241014 - ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.
Palo Alto Networks Certified Professional Services Provider

Picture
​This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
4 Comments

Layer 2 interfaces - Palo Alto Networks Training

18/1/2018

1 Comment

 
If you have some constrains in your network then using Layer-2 interfaces can be very powerful, but it can become very complex very quickly so its important to keep it simple. In this Palo Alto Networks Training Video, we will explain you the concept and some use cases.
FireWall Concepts Training Series - over the next couple of weeks and months we will release new videos on core concepts, explaining the fundamental workings of the Next-Generation FireWall starting with the Threat Landscape, then deployment methods, NAT, App-ID, SSL Decryption, VPNs and many more. Follow us on LinkedIn, Twitter or YouTube to stay up-to-date.
 

​Security Best Practices Training Videos

Soon we will publish training videos explaining all of the Palo Alto Networks Security Best Practice in detail, sign-up to our mailing list and we will let you known once it is available, or follow us on LinkedIn, Twitter or YouTube to stay up-to-date.

​Need Help?

Contact us or give us a call +353 (1) 5241014 - ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.
Palo Alto Networks Certified Professional Services Provider

Picture
This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
1 Comment

Tap interfaces - Palo Alto Networks Training

16/1/2018

0 Comments

 
Deploying the Next-Generation FireWall in Tap mode is the easiest way to establish Full Network Visibility while not taking any operational risks. In this Palo Alto Networks Training Video, we will  explain you the concept and some use cases​.
FireWall Concepts Training Series - over the next couple of weeks and months we will release new videos on core concepts, explaining the fundamental workings of the Next-Generation FireWall starting with the Threat Landscape, then deployment methods, NAT, App-ID, SSL Decryption, VPNs and many more. Follow us on LinkedIn, Twitter or YouTube to stay up-to-date.
 

Security Best Practices Training Videos

Soon we will publish training videos explaining all of the Palo Alto Networks Security Best Practice in detail, sign-up to our mailing list and we will let you known once it is available, or follow us on LinkedIn, Twitter or YouTube to stay up-to-date.

​​Need Help?

Contact us or give us a call +353 (1) 5241014 - ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.
Palo Alto Networks Certified Professional Services Provider

Picture
This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
0 Comments

Virtual-Wire - Palo Alto Networks Training

12/1/2018

0 Comments

 
Deploying the Next-Generation FireWall using a Virtual-Wire is the fastest way to get it into the network and with this establish Full Visibility and control. In this Palo Alto Networks Training Video, we will explain you the concept and some use cases​.
FireWall Concepts Training Series - over the next couple of weeks and months we will release new videos on core concepts, explaining the fundamental workings of the Next-Generation FireWall starting with the Threat Landscape, then deployment methods, NAT, App-ID, SSL Decryption, VPNs and many more. Follow us on LinkedIn, Twitter or YouTube to stay up-to-date.
 

Security Best Practices Training Videos

Soon we will publish training videos explaining all of the Palo Alto Networks Security Best Practice in detail, sign-up to our mailing list and we will let you known once it is available, or follow us on LinkedIn, Twitter or YouTube to stay up-to-date.

​Need Help?

Contact us or give us a call +353 (1) 5241014 - ​We are a Palo Alto Networks Certified Professional Service Provider (CPSP) and the Next-Generation Security Platform is what we do all day every day. Let us share our experience with you to make your Next-Generation Security project a smooth experience but most importantly a peace of mind by truly securing your valuable IT assets.
Palo Alto Networks Certified Professional Services Provider

Picture
This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share and adapt this document as long as you give appropriate credit to the author Lars Meyer. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
0 Comments
<<Previous

    Archives

    January 2021
    December 2020
    October 2020
    July 2020
    June 2020
    January 2018
    November 2017
    June 2017
    May 2017
    October 2016
    July 2015

    Author

    Lars Meyer

    Categories

    All
    Best Practices
    FireWall Concepts

    RSS Feed

Privacy Policy

​© 2021 Copyright Consigas Ltd. All Rights Reserved
Consigas Limited is registered in Ireland under company number 524218

​Registered office is 6-9 Trinity Street, Dublin, D02 EY47​, Ireland